88
Step Command Remarks
2. Configure the DHCP
snooping device to back up
DHCP snooping entries to a
file.
dhcp snooping
binding database
filename
{ filename |
url
url [
username
username
[
password
{
cipher
|
simple
} key ] ] }
By default, the DHCP snooping device does
not back up DHCP snooping entries.
With this command executed, the DHCP
snooping device backs up DHCP snooping
entries immediately and runs auto backup.
This command automatically creates the file if
you specify a non-existent file.
3. (Optional.) Manually save
DHCP snooping entries to
the backup file.
dhcp snooping
binding database
update now
N/A
4. (Optional.) Set the waiting
time after a DHCP snooping
entry change for the DHCP
snooping device to update
the backup file.
dhcp snooping
binding database
update interval
seconds
The default waiting time is 300 seconds.
When a DHCP snooping entry is learned,
updated, or removed, the waiting period
starts. The DHCP snooping device updates
the backup file when the specified waiting
period is reached. All changed entries during
the period will be saved to the backup file.
If no DHCP snooping entry changes, the
backup file is not updated.
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that
contain identical or different sender MAC addresses in the chaddr field to a DHCP server. This
attack exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot
obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system
resources. For information about the fields of DHCP packet, see "DHCP message format."
Y
ou can prevent DHCP starvation attacks in the following ways:
• If the forged DHCP requests contain different sender MAC addresses, use the mac-address
max-mac-count command to limit the number of MAC addresses that a Layer 2 port can learn.
For more information about the command, see Layer 2—LAN Switching Command Reference.
• If the forged DHCP requests contain the same sender MAC address, perform this task to
enable MAC address check for DHCP snooping. This function compares the chaddr field of a
received DHCP request with the source MAC address field in the frame header. If they are the
same, the request is considered valid and forwarded to the DHCP server. If not, the request is
discarded.
To enable MAC address check:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface
interface-type
interface-number
N/A
3. Enable MAC address check.
dhcp snooping check mac-address
By default, MAC address
check is disabled.
To Next Page
Loading...
